CVE-2018-1000180 — HIGH (7.5)

Q: How severe is CVE-2018-1000180?

CVE-2018-1000180 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-1000180?

Check the references section above for vendor advisories and patch information. Affected products include: Bouncycastle Bc-Java, Bouncycastle Fips Java Api, Debian Debian Linux, Oracle Api Gateway, Oracle Business Process Management Suite.

Vulnerability Description

Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.

CVSS Score

7.5

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Bouncycastle	Bc-Java	>= 1.54, <= 1.59
Bouncycastle	Fips Java Api	<= 1.0.1
Debian	Debian Linux	9.0
Oracle	Api Gateway	11.1.2.4.0
Oracle	Business Process Management Suite	11.1.1.9.0
Oracle	Business Transaction Management	12.1.0
Oracle	Communications Application Session Controller	3.7.1
Oracle	Communications Converged Application Server	< 7.0.0.1
Oracle	Communications Webrtc Session Controller	< 7.2
Oracle	Enterprise Repository	12.1.3.0.0
Oracle	Managed File Transfer	12.1.3.0.0
Oracle	Peoplesoft Enterprise Peopletools	8.55
Oracle	Retail Convenience And Fuel Pos Software	2.8.1
Oracle	Retail Xstore Point Of Service	7.0
Oracle	Soa Suite	12.1.3.0.0
Oracle	Webcenter Portal	11.1.1.9.0
Oracle	Weblogic Server	12.1.3.0.0
Netapp	Oncommand Workflow Automation	-
Redhat	Virtualization	4.2
Redhat	Jboss Enterprise Application Platform	7.1.0

Related Weaknesses (CWE)

CWE-327

References

http://www.securityfocus.com/bid/106567Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2018:2423Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2424Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2425Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2428Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2643Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2669Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0877Third Party Advisory
https://github.com/bcgit/bc-java/commit/22467b6e8fe19717ecdf201c0cf91bacf04a55adPatchThird Party Advisory
https://github.com/bcgit/bc-java/commit/73780ac522b7795fc165630aba8d5f5729acc839PatchThird Party Advisory
https://github.com/bcgit/bc-java/wiki/CVE-2018-1000180
https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c24
https://security.netapp.com/advisory/ntap-20190204-0003/PatchThird Party Advisory
https://www.bountysource.com/issues/58293083-rsa-key-generation-computation-of-iThird Party Advisory
https://www.debian.org/security/2018/dsa-4233Third Party Advisory

FAQ

What is CVE-2018-1000180?

CVE-2018-1000180 is a vulnerability with a CVSS score of 7.5 (HIGH). Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added ...

How severe is CVE-2018-1000180?

CVE-2018-1000180 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-1000180?

Check the references section above for vendor advisories and patch information. Affected products include: Bouncycastle Bc-Java, Bouncycastle Fips Java Api, Debian Debian Linux, Oracle Api Gateway, Oracle Business Process Management Suite.